Add east-west ingress network policy to Prometheus

This adds an ingress policy to Prometheus and utilizes
the helm-toolkit used in openstack-helm

Change-Id: Ia89d42a5305c94da26337aaf716978c1defae503
This commit is contained in:
Meg Heisler 2019-02-25 09:30:06 -06:00
parent 7578ba5a4b
commit 243f6c7608
3 changed files with 16 additions and 9 deletions

View File

@ -211,6 +211,11 @@ network:
enabled: false
port: 30900
network_policy:
prometheus:
ingress:
- {}
secrets:
tls:
monitoring:
@ -234,7 +239,7 @@ manifests:
ingress: true
helm_tests: true
job_image_repo_sync: true
network_policy: false
network_policy: true
secret_ingress_tls: true
secret_prometheus: true
service_ingress: true
@ -1193,7 +1198,7 @@ conf:
description: Prometheus failed to scrape API server(s), or all API servers have disappeared from service discovery.
summary: API server unreachable
- alert: K8SApiServerLatency
expr: histogram_quantile(0.99, sum(apiserver_request_latencies_bucket{verb!~"CONNECT|WATCHLIST|WATCH|PROXY|DELETECOLLECTION"}) WITHOUT (instance, resource)) / 1e+06 > 1
expr: histogram_quantile(0.99, sum(apiserver_request_latencies_bucket{verb!~"CONNECT|WATCHLIST|WATCH|PROXY"}) WITHOUT (instance, resource)) / 1e+06 > 1
for: 10m
labels:
severity: warning

View File

@ -19,7 +19,7 @@ set -xe
#NOTE: Lint and package chart
make prometheus
tee /tmp/prometheus.yaml <<EOF
tee /tmp/prometheus.yaml << EOF
manifests:
network_policy: true
network_policy:
@ -43,19 +43,20 @@ network_policy:
application: nagios
- podSelector:
matchLabels:
application: fluentd-exporter
- podSelector:
matchLabels:
application: fluentd
application: ingress
ports:
- protocol: TCP
port: 9093
- protocol: TCP
port: 9090
- protocol: TCP
port: 6783
- protocol: TCP
port: 9108
- protocol: TCP
port: 80
- protocol: TCP
port: 443
EOF
#NOTE: Deploy command
@ -67,4 +68,4 @@ helm upgrade --install prometheus ./prometheus \
./tools/deployment/common/wait-for-pods.sh osh-infra
#NOTE: Validate Deployment info
helm status prometheus
helm status prometheus

View File

@ -48,10 +48,11 @@ function test_netpol {
fi
fi
}
# Doing negative tests
test_netpol osh-infra mariadb server elasticsearch.osh-infra.svc.cluster.local fail
test_netpol osh-infra mariadb server nagios.osh-infra.svc.cluster.local fail
test_netpol osh-infra mariadb server prometheus.osh-infra.svc.cluster.local fail
# Doing positive tests
test_netpol osh-infra grafana dashboard mariadb.osh-infra.svc.cluster.local:3306 success
test_netpol osh-infra grafana dashboard mariadb.osh-infra.svc.cluster.local:3306 success